One last information, we already use pam-ldap for other system users, so if there is a way to not duplicate the ldap configuration in sssd.conf or to not totally replace the current pam-ldap by sssd (which could make sense though), it would be great
Thanks -- Cyril > On Mar 12, 2016, at 22:27, Cyril Scetbon <[email protected]> wrote: > > Hi Guys, > > I've made some tests and I have a few questions regarding sssd. > > We were using pam_ldap and at first I thought that sssd could work with > pam_ldap but I didn't find a way to make it work. > If I enable the debug mode in the pam section, I don't see anything. As sssd > can query for the ldap password + do the caching, it may be the reason why > they can't work together. > > I've been able to make it work by putting my ldap configuration in the domain > section and I've verified that if the ldap server becomes unavailable then > sssd uses the password version it has cached > > [sssd[be[default]]] [sdap_pam_auth_done] (0x0100): Password successfully > cached for mouser > > However, when the ldap server is available, I see that every time I try to > log in, it does a ldap request instead of reusing the value it has cached : > > [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling > ldap_search_ext with > [(&(uid=myuser)(objectclass=posixAccount))][dc=fti,dc=net] > > As entry_cache_timeout is set to 600 per default, I would expect sssd to only > query the ldap every 600 seconds and use the cached value otherwise. What am > I missing ? > I see sssd tries to access many attributes for my user and that some of them > are missing. Can it be the reason it doesn't reuse the cache except if the > ldap is offline ? > > Thank you > -- > Cyril > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
